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CLAIMS 

1. A method for authenticating a user of a 
first terminal in a communication system, 

characterized in that the method 
5 comprises the steps of: 

setting up a first logical channel via a communi- 
cation network between a first terminal and a service 
provider; and 

identifying the identity of the user of the first 

10 terminal after the first logical channel set up via a 
second logical channel other than the established 
first logical channel between the service provider and 
the first terminal prior to providing any services to 
the user of the first terminal. 

15 2 - The method according to claim 1, char- 

acterized in that the method further comprises 
the . steps of : 

sending a user identification request from the 
service provider to the first terminal via the second 
20 logical channel while the first logical channel exists 
between the first terminal and the service provider; 

receiving the user identification request with the 
first terminal while the first logical channel exists; 
digitally signing the request; 
25 sending the signed request with the first terminal 

via the second logical channel; 

authenticating the user of the first terminal and 
verifying the digital signature; and 

providing the user with services provided by the 
30 service provider via the first logical channel. 

3. The method according to claim 1, char- 
acterized in that the method further comprises 
the steps of: 

sending a user identification request for the user 
35 of the first terminal from the service provider to a 
second terminal via the second logical channel while 
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the first logical channel exists between the first 
terminal and the service provider; 

receiving the user identification request with the 
second terminal while the first logical, channel ex- 
5 ists; 

digitally signing the request; 

sending the signed request with the second termi- 
nal via the second logical channel; 

authenticating the user of the second terminal and 
10 verifying the digital signature; and 

providing the user of the first terminal with 
services provided by the service provider via the 
first logical channel. . 

4. The method according to claim 1, char-. 
15 acterized in that the method further comprises 
the steps of: 

sending a user identification request for the user 
of the first terminal from the service provider to a 
second terminal via the second logical channel , the 
20 user identification request comprising also, a chal- 
lenge ; 

receiving the user identification request compris- 
ing the challenge with the second terminal; 

digitally signing the request comprising the chal- 
25 lenge; 

sending the signed request with the second termi- 
nal via the second logical channel; 

providing the user of the first terminal with the 
challenge with the second terminal ; 
30 providing the service provider with the challenge 

acquired from the user of the second terminal; 

comparing the challenge in the signed message from 
the second, terminal and the challenge provided by the 
user of the first terminal; and if the challenges are 
35 equal, 

authenticating the user of the second terminal and 
verifying the digital signature; and - 
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providing the user of the first terminal with 
services provided by the service provider via the 
first logical channel. 

5. The method according to claim 1, . 2, 3 or 
5 4, characterized in that the first and/or 

second logical channel refers to a packet switched 
connection. 

6. The method according to claim 1, 2, 3 or 
4, characterized in that the first and/or 

10 second logical channel refers to a circuit switched 
connection. 

7. The method according to claim 1, 2, 3 or 
4 , characterized in that the method further 
comprises the step of: 

15 arranging a security gateway forming an interface 

towards the first and/or second terminal. 

8. The method according to claim 7, char- 
acterized in that the method further comprises 
the steps of: 

20 identifying the service provider with the security 

gateway; 

■ sending a user identification request from the 
service provider to the security. gateway; 

sending the user identification request from the 
25 security gateway to the first terminal via the second 
• logical channel; 

receiving the identification request with the 
first terminal;, 

digitally signing the request; 
30 sending the signed request to the security gateway 

via the. second logical channel; 

retrieving a certificate related to the user of 
the first terminal; 

authenticating the identity of the user of the 
35 first terminal and verifying the digital signature; 
and 
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providing the user of the first terminal a service 
provided by the service provider via the existing 
first logical channel. 

9. The method according to claim 7, c h a r - 
acterized in that the method further comprises 
the steps of : 

identifying the service provider with the security 
gateway; 

sending a user identification request of the user 
of the first terminal from the service provider to the 
security gateway; 

sending the user identification request from the 
security gateway to a second terminal via the second 
logical channel; 

15 receiving the user identification request with the 

second terminal; 

digitally signing the request; 

sending the signed request to the security gateway 
via the second logical channel; 
2 0 retrieving a certificate related to the user of 

the second terminal; 

authenticating the identity of the user of the 
second terminal and verifying the digital signature ; 
and 

25 providing the user of the first terminal a service 

provided by the service provider via the existing 
first logical channel . 

10, The method according to claim 2, 3, 4, 8 
or 9, characterized in that the method fur- 
3 0 ther comprises the step of ; 

encrypting the user identification request sent to 
the first and/or second terminal using symmetric or 
asymmetric encryption; and 

encrypting the signed request sent from the first 
35 and/or second terminal using symmetric or asymmetric 
encryption. 
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11- The method according to claim 8 or 9, 
characterized in that the method further 
comprises the step of: 

encrypting the signed user identification request 
5 sent to the security gateway using symmetric or asym- 
metric encryption. 

12. The method according to claim 8 or 9, 
characterized in that the method further 
comprises the steps of : 

10 retrieving with the security gateway a certificate 

related to the user of the first and/or second termi- 
nal ; 

creating and sending a validating message to the 
service provider; and 
15 validating the user of the first and/or second 

terminal with the service provider based on the vali- 
dating message and validating information. 

13. The method according to claim 8 or 9, 
characterized in that the method further 

20 comprises the steps of: 

retrieving with the security gateway validation 
information comprising at least a certificate related 
to the user of the first and/or second terminal; 

authenticating the identity of the user of the 
25 first and/or second terminal with the security gateway 
based on the validation information; and 

sending a positive validation message to the serv- 
ice provider if the result of the validation was posi- 
tive. 

30 14 • The method according to claim 1, char- 

acterized in that if the first logical channel 
fails during the validation procedure, the method fur- 
ther comprises the steps of: 
creating a challenge; 

35 encrypting the challenge with the public encryp- 

tion key of the user of the first terminal; 
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sending the encrypted challenge to the first ter- 
minal; 

decrypting the encrypted challenge in the first 
terminal ; 

setting up a new logical channel to the service 
provider; 

providing the service provider with the decrypted 
challenge; and if the challenge is acceptable, 

providing the user of the first terminal via the 
logical channel with a service provided by the service 
provider . 

15. The method according to claim 14, 
characterized in . that the method further 
comprises the step of: 

sending the encrypted challenge to. the first ter- 
minal via a security gateway. 

16. A system for authenticating a user of a 
farst terminal in a communication system, the system 
comprising: 

20 a communication . network (NET), 

a first terminal (DTE) associated with the commu- 
nication network (NET) , 

a service provider (SP) associated with the commu- 
nication network (NET) , 
25 a certificate service provider (CA) , 

characterized in that the system 
further comprises : 

sending means (SM) for sending a user identifica- 
tion request to the first terminal (DTE) or a second 

30 terminal (DTE2) ; and 

identifying means (ID) for identifying the iden- 
tity of the user of the first terminal (DTE) after a 
first logical channel has been set up via a second 
logical channel other than the established first logi- 

35 cal channel between the service provider and the first 
terminal (DTE) prior to providing any. services to the 
user of the first terminal (DTE) based on the informa- 
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tion provided by the certificate service provider 
(CA) . 

17. The system according to claim 16, 
characterized in that the system further 
5 comprises : 

a security gateway (GW) in connection with the 
service provider (SP) and certificate service provider 
(CA) . 

18.. The system according to claim 17, 
10 characterized in that the security gateway 
(GW) is managed by the service provider (SP) . 

19. The system according to , claim 17, 
characterized in that the security gateway 
(GW) is managed by a third party. 
15 20. The system according to claim 16, 

characterized in that said sending means 
(SM) are arranged in the service provider (SP) . 

21. The system according to claim 16 or 17, 
characterized in that said sending means 

20 (SM) are arranged in the service provider (SP) and se- 
curity gateway (GW) . 

22. The system according to claim 16 or 17, 
characterized in that said identifying, means 
(ID) are arranged in the service provider (SP) and/or 

25 security gateway (GW) . 

23. The system according to claim 16, 
characterized in that the service provider 
(SP) comprises: 

first encrypting means (EN1) for encrypting infor- 
30 mat ion; and 

first decrypting means (DEI) for decrypting infor- 
mation. 

24. The system according to claim 17, 
characterized in that the security gateway 

35 (GW) comprises: 

second encrypting means (EN2) for encrypting in- 
formation; and 
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second decrypting means (DE2) for decrypting in- 
formation. 

25. The system according to claim 16, 
characterized in that the first terminal 
5 (DTE), and/ or second terminal (DTE2) comprises: 

third encrypting means (EN3) for encrypting infor- 
mation; and 

third decrypting means (DE3) for decrypting infor- 
mation. 

10 26. The system according to claim 2 0 or 21, 

characterized in that said sending means 
(SM) are arranged to send a challenge to the first 
terminal (DTE) in the event that the logical channel 
set up between the first terminal (DTE) and service 

15 provider (SP) fails. 

27. The system according to claim 20 or 21, 
characterized in that said sending means 
(SM) are arranged to send a challenge to the second 
terminal (DTE2) . 

20 28. The system according to any of the claims 

16 - 27, characterized in that the communi- 
cation network is a GSM network. 

29. The system according to any of the claims 
16 - 27, characterized in that the communi- 

25 cation network is a GSM network with the GPRS feature. 

30. The system according to any of the claims 
16 - 27, characterized in that the communi- 
cation network is an UMTS, a CDMA, a WCDMA, an EDGE, a 
Bluetooth, or a WLAN network. 



